Certificate reference: DPA/s111/GCHQ 


SECTION 111 DATA PROTECTION ACT 2018 


CERTIFICATE OF THE SECRETARY OF STATE 


1. Whereas: 


1.1 


1.2 


1.3 


By section 110 of the Data Protection Act 2018 (“the Act”) itis provided that 
the processing of personal data is exempt from certain provisions of the Act 
if the exemption from that provision is required for the purpose of 
safeguarding national security. For information, a full list of these provisions 
is provided at Annex A. 


by section 111(1) it is provided that a certificate signed by a Minister of the 
Crown certifying that an exemption from all or any of the provisions 
mentioned in section 110(2) is or at any time was required for the purpose of 
safeguarding national security in respect of any personal data shall be 
conclusive evidence of that fact; 


by section 111(2), it is provided that a certificate under section 111(1) may 
identify the personal data to which it applies by means of a general 
description and may be expressed to have prospective effect. 


2. And considering the potentially serious adverse repercussions for the national 
security of the United Kingdom if the exemptions hereafter identified were not 
available. 


3. And for the reasons set out below: 


3.1 


3.2 


3.2 


The work of the intelligence services (the Security Service, the Secret 
Intelligence Service and the Government Communications Headquarters) of 
the Crown requires secrecy. 


The very nature of the work of the Government Communications 
Headquarters (GCHQ) requires exemption on national security grounds from 
those parts of the Act that would for example, limit their ability to perform 
their statutory functions and that would allow access to GCHQ’s premises by 
third parties. 


The general principle of neither confirming nor denying whether GCHQ, 
processes data about an individual, or whether others are processing 
personal data for, on behalf of, with a view to assisting, working with, or in 
relation to the functions of GCHQ is an essential part of that secrecy. In 
dealing with requests for information or access under the Data Protection Act 
2018, GCHQ will examine each individual request to determine: 


(i) 


(ii) 


whether adherence to that general principle is required for the purpose of 
safeguarding national security; and 


in the event that such adherence is not required, whether and to what 
extent the non-communication of any data or any description of data is 
required for the purpose of safeguarding national security. 


4. Now, therefore, I, the Right Hon Jeremy Hunt MP, being a Minister of the Crown 
who is a member of the Cabinet, in exercise of the powers conferred by the said 
section 111, do issue this certificate and certify as follows: 


4.1 


4.2 


4.3 


(i) 


(ii) 


That any personal data that is processed by GCHQ as described in Column 
1 in the table below is and shall continue to be required to be exempt from 
those provisions of the Act that are set out in Column 2; 


That any personal data that is processed by any other person or body (“third 
party”) as described in Column 1 in the table below, is and shall continue to 
be exempt in the circumstances specified below from the provisions of the 
Act set out in Column 2 below; 


The specified circumstances are the processing of personal data by the third 
party in the course of data processing operations carried out: 


(a) for, on behalf of or at the request of GCHQ or 


(b) in relation to the functions of GCHQ described in section 3 of the 
Intelligence Services Act 1994, in both cases where GCHQ is the data 
controller; 


all for the purpose of safeguarding national security, provided that: 


data shall not be exempt from the provisions of sections 93 and 94 of the 
Data Protection Act 2018 if GCHQ, after considering any request by a 
data subject for access to relevant personal data, determines that 
adherence to the principle of neither confirming nor denying whether 
GCHQ holds that data about an individual is not required for the purpose 
of safeguarding national security; 


data shall not be exempt from the provisions of sections 93(1)(b)-(d) and 
(g), 94(1)(a)-(b), 94(2)(a)-(d) and (g) and 98 of the Data Protection Act 
2018 if GCHQ, after considering any request by a data subject for access 
to relevant personal data, determines that non-communication of that 
data or any description of that data is not required for the purpose of 
safeguarding national security. 


a) Personal data processing in 
performance of the functions of GCHQ 
described in section 3 of the Intelligence 
Services Act 1994 including but not 
limited to: 


e operational data 


e data relating to human resources 
(including recruitment candidates, 
current and former members of staff 
and contractors) 


vetting-related data 


data relating to building and 
personnel security (including CCTV) 


data relating to commercial 
relationships 


b) Personal data processing under Part 4 
of the Data Protection Act by third 
parties, including but not limited to: 


e other Government departments | 
e public authorities 


e commercial organisations 


where that processing is: 


e for, on behalf of, or at the request of 
GCHQ or in relation to its functions 
described in section 3 of the 
Intelligence Services Act 1994, and 


GCHQ is the data controller. 


Expires 


Data Protection Act 2018: 

(i) Section 86(1)(b) 

(il) Section 89 

(iii) Section 93(1)(b)-(d) and (g) 
(iv) Section 94(1)(a)-(b), 

(v) Section 94(2)(a)-(d) and (g), 
(vi) Sections 96-97 

(vii) Section 99(1)-(3) 

(vill) Section 119 

(ix) Section 142 

(x) Section 146 

(xi) Section 148 

(xii) Sections 149-151 

(xiii) Section 154 

(xiv) Sections 170-173 

(xv) Schedule 13, paragraphs 1(a), (g) and 2 
(xvi) Schedule 15 


ANNEX A 


Section 86(1)(b) 


First data protection principle, duty to be fair and 
transparent ` 


Section 86(3)-86(7) Remainder of the first data protection principle 
Sections 87-91 Second to sixth data protection principles 


Sections 92-100 Chapter 3, rights of the data subject 


Section 108 
section 119 Inspection in accordance with international obligations 


Sections 142-154 


Communication of a personal data breach to the 
Commissioner 


Commissioner's notices and powers of entry and 
inspection 


Sections 170-173 Offences relating to personal data 


Sections 174-176 Provisions relating to the special purposes 


Schedule 13 paragraphs Other general functions of the Commissioner 


1(a), 1(g) and 2 


Schedule 15 Powers of entry and inspection 


